Introducing Phish Threat and Phish Threat emulation with Sophos Central Part 1

The goal of the article

  • In part 1 of this article, what is Phish Threat? How to prevent Phish Threat attacks and introduce the Phish Threat feature available on Sophos Central.
  • In addition, the article will guide configuring the Phish Threat feature with the Campaings Phishing type on Sophos Central.

What is Phish Threat?

  • Phish Threat is a form of attack to obtain sensitive user name, password, credit card, etc. information or to spread ransomeware by sending emails to users containing links, files containing viruses or a fake message from famous website like Facebook, Amazon, Google … when users click on the message, there will appear a website that is almost 100% made for subjectively user and easily enter your information into the fake website.
  • Simple example: You receive 1 email notifying you that a person on Facebook has sent a friend request. Since you see this is a Facebook notification, it was subjectively clicked to confirm the friend, now a website like Facebook appears asking you to enter username and password so you fill it in without any bother. and your account information has been sent to Hackers.

How to prevent Phish Threat

  • Using the password manager only automatically fills in login information on legitimate domains, helping you avoid providing login information for fake websites.
  • Enables two-factor authentication, wherever available, prevents hackers from accessing your online account even if they somehow steal your login information.
  • Users need to ask themselves “Why am I being asked to log in” or “I haven’t logged in here yet” when hackers try to imitate the login portals of popular websites you use.
  • In order for users to ask themselves these questions, it is important to improve the user’s vigilance for fake attacks.We need to have internal training to simulate attacks for corporate users to help them better understand these fake attacks and be more alert.

Introducing Phish Threat feature of Sophos Central.

  • As mentioned above, to help users improve their vigilance against phishing attacks we need to simulate such attacks internally and Sophos Central’s Phish Threat feature will provide We have a lot of attacks like that.
  • Sophos Central will provide the following types of attack simulator:
  • Phishing: This attack will send the user a link and when the user clicks it will display a message “This is a fake attack but you have clicked” and will show a video training for users to view and After viewing, the user will have to do a test.
  • Credential Harvesting: This attack will send the user a request such as a friend request from Facebook or a notice to change the Google password … when the user clicks on a website like Facebook, Google … currently requires users to enter login information. After filling in and logging in, the message above will appear and users will have to watch the video and do the test.
  • Attachment: This attack will send the user an email with an attachment such as a Christmas greeting file or electronic invoice, when opening the attachment, the message will appear and must watch the video and do the test.

Instructions for configuring Phish Threat features on Sophos Central.

  • To use Phish Threat feature on Sophos Central, we first need to create a Sophos Central account.
  • To create Sophos Central account, you can see the instructions here.
  • After acquiring Sophos Central account, log into Sophos Central with the account you just created at
  • Next select People to add users for Phish Threat configuration.
  • Click Add> Add User.
  • The Add User table appears, fill in the name FIRST & LAST NAME and enter the email address in the EMAIL ADDRESS box.
  • Note: Email address must be a domain email address, do not use public email addresses like Gmail, Yahoo …
  • Next, let email training send to users who are not added to the Spam folder. We need to add IP addresses and domains for training to the trusted item (whilelist) on Mail Server or mail services like G- Suite, Office 365 ….
  • To obtain the IP address, log in to Sophos Central account and click Phish Threat> Setting> Sending domains and IPs.
  • Now we will see two IP addresses and a series of domains that Sophos provides for the training.
  • Next we press MY PRODUCTs> Phish Threat> Campaigns to enter the Phish Threat feature.
  • Here to do training for users we need to create Campaigns, to create Campaigns click New Campaigns.
  • We will set name for Campaigns and choose the type for Campaigns.
  • Campaigns has 4 types:
  • Phishing: Attracting targeted users to click on a link in an email.
  • Credential Harvesting: Attracting targeted users to enter login information into a fake website.
  • Attachment: Attracting targeted users to open an attachment in an email.
  • Training: Enroll the target user for mandatory training based on the selected training modules.
  • We will do the simulation of Campaigns to see how it works.
  • In this article, we will simulation Phishing Campaings type.
  • After clicking New Campaigns, we will enter the name for Campaigns as Phishing and select Phising and then click Next.
  • Next we will select the attack pattern, in this case Sophos has provided us with a lot of attack patterns coming from famous websites like Amazon, Adobe, Apple … we just choose one of the The type of attack we want.
  • Here we will select the first type, Delayed W2 Delivery and then click Next.
  • Next, we will choose the type of training for users, where Sophos also provides training types on internet threats such as Ransomeware, Keyloggers, Macro Malware …, these training types will include 1 video clip with subtitles English and record video time.
  • We can choose up to 5 training types for 1 Campaigns and those training types will be random when sent to users.
  • Here we will select training Ransomeware and then click Next
  • Next is the Customize section, which allows you to edit the contents of Attack Email, Reminders Email, Caught Landing, Training Landing.
  • This section contains 4 parts: Attack Email, Reminder Email, Caught Landing, Training Landing.

Attack Email

  • In this Attack Email section, when we click, we will see the information available such as Name, Email, Email Subject. We can change it if you want.
  • In this section, we will edit the content of the email into an email from the IT department sent to the staff with the request to install new software with the download link.
  • In From Name section will be set to Nguyen Van Phu.
  • In From Email section will be set to
  • In addition, we can use the sub-domain, to use stick into use of a sub-domain on phishing URL replacement and enter the ‘sophos’ box at this time the email address is
  • In the Email Subject section, we will set it as [IT Room] Software installation required. .
  • Next we drag the mouse down to see the contents of the email we will send, we can click Edit to edit the content sent.
  • We will edit the email content into content that requires installing software from the IT department as follows.

Reminder Email

  • This is an email that reminds us when we haven’t finished the test for too long.

Caught Landing

  • This Caught Landing section will contain a page with the content “This is not a real attack but it may have happened”.
  • This page will appear when the user opens the email and clicks on the link, the page appears to be wrong for the user to know that this is a training and the user has not passed, so he will have to watch a video training and do the lesson kiểm TRA.
  • You can edit the content of the page by clicking Edit.

Tranding Landing

  • This is the announcement that we have been added to the training.
  • After modifying the Customize section click Next to go to the Enroll Users section.
  • In this section we can assign 1 or more Users or Group for training.
  • Click Next to go to Review & Schedule, in this section you can set the time for training to take place.
  • You can choose Launch at schedule time to set the timetable or select Launch immediately for the training to take place immediately after clicking Done.
  • In the Sending Increment section, help us set up this training for many people in a certain period of time.
  • For example: if you choose Send to all enroll users and at the same time, this training will be sent to all users at the same time. If you select Send 5% and select Every hour, every 1 hour the training will be sent to 5% of the total number of people selected in the Enroll User section above.
  • Pull down the Email, Training and Recipients sections to help the user check the content of the email to be sent and the selected training section along with the user name and email of the designated user.
  • Click Done to finish.
  • At this time, on Sophos Central will display the parameters of the training.
  • As we can see in Active Campaigns is the name of the Phishing training, next to 1 Emails sent, 1 email was sent.
  • Next is 0 Emails opened, this part will increase when a user opens the email.
  • At 0 users are caught, this part will increase when the user clicks on the link.
  • At 0 Finished training, this part will increase when the user completes the training.
  • Next we will go to the email account to see the email just sent.
  • Click to open the email and we will see information such as sender, email address, email subject, the same email content as we set up on Sophos Central.
  • After opening the email, we return to Sophos Central page and reload the page we will see in the Email opened section will increase by 1 because we opened the email sent.
  • Back to the email page we will click on the link in the blue 1-page “here” to appear exactly the same as Caught Landing when we set up.
  • The announcement page tells us “This is not a real attack but it may have happened” and we have to watch the video training and do the test by clicking Go to training.
  • Go back to Sophos Central page and reload the page, we will see the Users caught section increased by 1 by the user who clicked on the link.
  • Go back to the announcement page, after clicking Go to training, the website will navigate to a course called Ransomeware which we have set up on Sophos Central.
  • This page displays the course name is Ransomeware, course content and time.
  • To join Start Course, a video with 4 minutes time will be displayed with English subtitles and we have to watch all the videos to navigate to the Test.
  • After watching all the videos, we will press Take Quiz to do the test.
  • Select the correct answer and click Complete Quiz to complete the training.
  • If you do not reach the required score to pass the test, you can click Reset Quiz to redo or click Back to Lesson to review the video and find the answer.
  • Note: If the user clicks Complete but not enough points to pass training, on Sophos Central finished Training is still 0, it only increases when the user has enough points to pass the test.
  • After the user fails to pass the test, we will return to the Sophos Central page, reload the page and see that the Finished training section is still 0.
  • Next we will do the test enough points to pass it.
  • Then go back to Sophos Central page, reload and we will see the number of Finished training increased 1 time, 1 person completed the training.
  • Because in this traning section only applies to 1 user, the parameters are 100% and after completing the training click on the name of the training as Phishing to see the statistics on the training and its results.
  • Finally to finish training click on End Campaign.

Be the first to comment

Leave a Reply

Your email address will not be published.